rules/findings/m365/microsoft_defender/malware/ms-defender-lack-of-comprehensive-attachment-filtering.json
|
{
"args": [ ], "provider": "Microsoft365", "serviceType": "Defender", "serviceName": "Microsoft 365", "displayName": "Ensure comprehensive attachment filtering is applied", "description": "The Common Attachment Types Filter lets a user block known and custom malicious file types from being attached to emails. The policy provided by Microsoft covers 53 extensions, and an additional custom list of extensions can be defined. The list of 187 extensions provided in this recommendation is comprehensive but not exhaustive.", "rationale": "\r\n\t\t\tBlocking known malicious file types can help prevent malware-infested files from infecting a host or performing other malicious attacks such as phishing and data extraction. \r\n\t\t\tDefining a comprehensive list of attachments can help protect against additional unknown and known threats. Many legacy file formats, binary files and compressed files have been used as delivery mechanisms for malicious software. Organizations can protect themselves from Business E-mail Compromise (BEC) by allow-listing only the file types relevant to their line of business and blocking all others. \r\n ", "impact": "For file types that are business necessary users will need to use other organizationally approved methods to transfer blocked extension types between business partners.", "remediation": { "text": null, "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/powershell/module/exchange/get-malwarefilterpolicy?view=exchange-ps", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference" ], "compliance": [ { "name": "CIS Microsoft 365 Foundations Benchmark", "version": "6.1.0", "reference": "2.1.11", "profile": [ "E3 Level 2", "E5 Level 2" ] } ], "level": "low", "tags": [ ], "rule": { "path": "o365_exo_malware_policy", "subPath": null, "selectCondition": { }, "query": [ { "filter": [ { "conditions": [ [ "missingExtensions.Count", "gt", "0" ] ] } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "policyName": "Policy Name", "rule.Name": "Rule Name", "isDefault": "Default", "isEnabled": "Enabled" }, "expandObject": null }, "table": "default", "decorate": [ ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "*" ], "expandObject": null, "limit": null }, "showGoToButton": false, "showModalButton": true, "directLink": null } }, "text": { "data": { "properties": { "policyName": "Policy Name", "rule.Name": "Rule Name", "isDefault": "Default", "isEnabled": "Enabled" }, "expandObject": null }, "status": { "keyName": [ "policyName" ], "message": "Ensure comprehensive attachment filtering is applied in {policyName}", "defaultMessage": null }, "properties": { "resourceName": "policyName", "resourceId": "policyId", "resourceType": "EXOMalwarePolicy" }, "onlyStatus": false } }, "idSuffix": "m365_exo_lack_attachment_filtering", "notes": [ ], "categories": [ ], "immutable_properties": [ "ruleId" ], "id": "microsoft365_2131" } |